The present invention relates to a distributed system for operating devices having incorporated therein one or a plurality of processors each having a function of preserving data, a function of processing a program, and a communication function such that the devices are association with one another. Particularly, the present invention relates to a method of mutually opening data communicated between devices, which have a function of communicating data with one another and a function of arbitrarily executing a programs, to determine whether or not the devices should be associated with one another. The method is particular suitable for applications in control systems such as a building/home automation system, social systems such as plant control, manufacturing, distribution and the like, traffic systems, and the like.
In step with the advanced downsizing associated with the trend of higher performance and higher density of semiconductor devices, processors having calculating capabilities no longer reside only in dedicated computers but are increasingly incorporated in any devices. Further, as represented by the Internet, means are gradually arranged for communications with computer systems through these devices. When such devices having communication capabilities are associatively operated with one another, an access control list, for example, is used in a method for authenticating a target device. This method involves comparing an identifier of an associated target device or a user identifier entered by the user of the target device with the access control list stored in a particular device to determine whether or not the two devices should be associated with each other. Also, for association through a plurality of devices, a method such as “Delegation” is used for integrating the results of authentications for the plurality of devices. These techniques are described, for example, in “CORBA Security Service—Outline and Implementation,” UNISYS Technical Report, No. 55.
According to the foregoing prior art, respective devices must have been previously defined as an accessible device or an inaccessible device in the access control list. In other words, assuming a target device or user, an access right must have been previously determined therefor. However, since users can readily know where exists information which is the basis for the determination, the information is susceptible to attacks such as tampering. Also, from a viewpoint of operation, in an environment which includes a large number of devices that can change in configuration over time, the aforementioned method based on the previous definition has limitations in previously assuming all devices, thus giving rise to a problem that flexible association cannot be provided for new devices. Otherwise, the access control list must be defined again in conformity to changes in the configuration of devices, causing additional labor and time. Moreover, another problem arises when a device is changed in performance or content of processing performed thereby, where after the device has been authenticated only with its identifier, a malfunction of the device will affect the association.